How to eliminate last few events in a Splunk searc...

Ananthu · ‎08-02-2022

I have a scenario that i'm getting N number of results for last 60min splunk search like below (5:00Pm to 06:00PM).

2022-08-02 17:59:45.203 CCL220727468
2022-08-02 17:59:40.555 CCL220711461
2022-08-02 17:59:34.985 CCL220727468
2022-08-02 17:59:22.080 CCL220727468
2022-08-02 17:59:02.638 CCL220727468
2022-08-02 17:14:02.734 CCL220707460
2022-08-02 17:11:29.456 CCL220729470
2022-08-02 17:04:52.780 CCL220729470

In that i need to exclude the events close to the end time (for eg. I need to exclude the events with timestamp > 05:55PM. The events at the edge of search end time is not required).
This is for setup an alert which shows the number of events in last 60min

gcusello · ‎08-02-2022

Hi @Ananthu,

there are different solutions to your problem, identify the one for you:

You could change the time search period:

Your_search earliest=-15m@m latest=-5m@m

or you could take only e.g. ten values starting from the beginning:

your_search
| reverse
| head 10

Ciao.

Giuseppe

How to eliminate last few events in a Splunk search?

search job inspector

stats

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation